Category Archives: Advisories

LSN-0093-1: Kernel Live Patch Security Notice

March 27, 2023

Read Time:29 Second

Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel
did not properly handle VLAN headers in some situations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code.(CVE-2023-0179)

It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.(CVE-2023-0461)

Advisories

USN-5972-1: Thunderbird vulnerabilities

March 27, 2023

Read Time:36 Second

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2023-25152, CVE-2023-28162,
CVE-2023-28176)

Lukas Bernhard discovered that Thunderbird did not properly manage memory
when invalidating JIT code while following an iterator. An attacker could
potentially exploits this issue to cause a denial of service.
(CVE-2023-25751)

Luan Herrera discovered that Thunderbird did not properly manage
cross-origin iframe when dragging a URL. An attacker could potentially
exploit this issue to perform spoofing attacks. (CVE-2023-28164)

Advisories

CVE-2018-25083

March 27, 2023

Read Time:8 Second

The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name.

Advisories

USN-5954-2: Firefox regressions

March 27, 2023

Read Time:1 Minute, 7 Second

USN-5954-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2023-25750,
CVE-2023-25752, CVE-2023-28162, CVE-2023-28176, CVE-2023-28177)

Lukas Bernhard discovered that Firefox did not properly manage memory
when invalidating JIT code while following an iterator. An attacker could
potentially exploits this issue to cause a denial of service.
(CVE-2023-25751)

Rob Wu discovered that Firefox did not properly manage the URLs when
following a redirect to a publicly accessible web extension file. An
attacker could potentially exploits this to obtain sensitive information.
(CVE-2023-28160)

Luan Herrera discovered that Firefox did not properly manage cross-origin
iframe when dragging a URL. An attacker could potentially exploit this
issue to perform spoofing attacks. (CVE-2023-28164)

Khiem Tran discovered that Firefox did not properly manage one-time
permissions granted to a document loaded using a file: URL. An attacker
could potentially exploit this issue to use granted one-time permissions
on the local files came from different sources. (CVE-2023-28161)

Advisories

DSA-5379 dino-im – security update

March 27, 2023

Read Time:19 Second

Kim Alvefur discovered that insufficient message sender validation in
dino-im, a modern XMPP/Jabber client, may result in manipulation of
entries in the personal bookmark store without user interaction via a
specially crafted message. Additionally an attacker can take advantage
of this flaw to change how group chats are displayed or force a user to
join or leave an attacker-selected groupchat.